Wednesday, April 01, 2015

War on Hackers: a Clear and Present Danger

A typical hacker, according to @Viss
President Obama has upped his war on hackers by declaring a "state of emergency". This triggers several laws that grant him expanded powers, such as seizing the assets of those suspected of hacking, or taking control of the Internet.

One one hand, this seems reasonable. Hackers from China and Russia are indeed a threat, causing billions in economic damage every year, by stealing money and intellectual property. This declaration specifically targets these issues. Presumably, in the next few weeks, we'll see announcements from the Treasure Department seizing assets from Chinese companies known to have stolen intellectual property via hacking.

But on the other hand, it's problematic. Declarations of emergency tend to be permanent. We already operate under 30 declarations of emergencies dating back to the Korean war. Once government grabs new powers, it tends not to give them back. Also, this really isn't an "emergency", the hacking it addresses goes back a decade. It's obvious corruption of the "emergency" provisions in the law for the President to bypass congress and rule by decree.

Moreover, while tailored specifically to the threats of foreign hackers, it ultimately affects everyone everywhere. It allows the government to bypass due process and seize the assets of anybody suspected of hacking. The federal government already widely abuses "asset forfeiture" laws, seizing a billion dollars annually. This executive order expands such activities (although "freezing" isn't quite the same as "forfeiture").

Of particular concern are "security researchers". The only way to secure systems is to attack them. Securing systems means pointing out flaws, which inevitably embarrasses the powerful, who then lobby government for assistance in dealing with these pesky "hackers".

The White House knows this is a potential problem, and clarifies that it doesn't intend to use this Executive Order to go after security researchers. But this is bogus. Whether somebody is a "good guy" or a "bad guy" is merely a matter of perspective. For example, I regularly scan the entire Internet. The security research community broadly agrees this is a good thing, but the powerful disagree. I have to exclude the DoD from my scans, because they make non-specific threats toward me in order to get me to stop. This Executive Order makes those threats real -- giving the government the ability to declare my scans "malicious" and to seize all my assets. It's the Treasury Department who makes these decisions -- from their eyes, "security research" is indistinguishable from witchcraft, so all us researchers are malicious.

This last week, we saw a DDoS attack by China against a key Internet infrastructure company known as "GitHub". The evidence clearly points to the Chinese government as the culprit -- yet the President has remained silent on the issue. In contrast, the President readily spoke out against North Korea based on flimsy evidence. These new powers granted by the Executive Order do nothing to stop such an attack. With proposed laws, such as CISA surveillance expansion law, or the extensions to the CFAA, we see that the government is eager to obtain new powers, but reluctant to actually use the powers it already has to defend against hackers.

The reason the government is hesitant is that China is a thorny problem. North Korea is an insignificant country, so we bully them whenever it's convenient. In contrast, China's economy rivals our own. Moreover, trade intertwines our economies. Logical next steps to address hacking involve economic sanctions that will hurt both countries. What the government will do to address Chinese hacking then becomes a political question. No matter how many powers we give government, no matter how much we sacrifice privacy rights, stopping foreign hackers becomes a political question of foreign policy.

The conclusion is this: from the point of view of government, this Executive Order (and the follow-on actions by the Treasury Department) are a reasonable response to recent hacking. But the reality is that it's a power grab by government, granting them new powers to bypass our rights, that they are unlikely to ever give up. It's unlikely to solve the problem of foreign hacking, but will do much to expand the cyber police state.

1 comment:

@_decius_ said...

I feel that this topic has been blown way out of proportion by people who don't understand what it is and don't have any context for it. These are international trade sanctions, not domestic law enforcement powers, and they work the same way that other international trade sanctions work.

Here you make an analogy to "asset forfeiture." I've been seeing people in other forums making that parallel, and I presume its inspired by this post. This is absolutely nothing at all like asset forfeiture. This is not something that is administrated by local law enforcement or that would ever by applied domestically or even against foreigners in countries with whom the United States has normal diplomatic relations.

You write "It allows the government to bypass due process and seize the assets of anybody suspected of hacking." No, it doesn't. Thats not even close to being a fair characterization of what this is. It allows the government to bypass due process and seize the assets of people who are beyond the reach of due process because they live in countries with whom the United States does not have normal diplomatic relations who are suspected of doing things that are "a significant threat to the national security, foreign policy, or economic health or financial stability of the United States." Thats a very high bar, and that bar cannot be lowered just because they want to, as there are several structural reasons that the bar is that high, including Constitutional due process protections.

The government does a lot of stupid things in the realm of information security. They are used to our community reacting negatively to those things. We react that way because we know more then they do about information security and we think they are acting out of ignorance. But they know more than we do about how policy works, and when we overreact to something like this, we sound ignorant to them. We sound like people who overreact to anything, no matter what it is. You tend to ignore people like that. The last thing we need is for government policy makers to decide that they should just ignore our community's outrage because it is rooted in ignorance.